Testbeds and Research Infrastructures for the Development of Networks and Communications. 14th EAI International Conference, TridentCom 2019, Changsha, China, December 7-8, 2019, Proceedings

Research Article

Ransomware Detection Based on an Improved Double-Layer Negative Selection Algorithm

  • @INPROCEEDINGS{10.1007/978-3-030-43215-7_4,
        author={Tianliang Lu and Yanhui Du and Jing Wu and Yuxuan Bao},
        title={Ransomware Detection Based on an Improved Double-Layer Negative Selection Algorithm},
        proceedings={Testbeds and Research Infrastructures for the Development of Networks and Communications. 14th EAI International Conference, TridentCom 2019, Changsha, China, December 7-8, 2019, Proceedings},
        proceedings_a={TRIDENTCOM},
        year={2020},
        month={3},
        keywords={Ransomware Negative selection algorithm API call sequence Artificial Immune System Cuckoo sandbox},
        doi={10.1007/978-3-030-43215-7_4}
    }
    
  • Tianliang Lu
    Yanhui Du
    Jing Wu
    Yuxuan Bao
    Year: 2020
    Ransomware Detection Based on an Improved Double-Layer Negative Selection Algorithm
    TRIDENTCOM
    Springer
    DOI: 10.1007/978-3-030-43215-7_4
Tianliang Lu1, Yanhui Du1,*, Jing Wu1, Yuxuan Bao1
  • 1: People’s Public Security University of China
*Contact email: duyanhui@ppsuc.edu.cn

Abstract

The encrypting ransomware using public key cryptography is almost impossible to decrypt, so early detection and prevention is more important. Signature matching technology has low detection rate for unknown or polymorphic ransomware, and some intelligent algorithms have been proposed for solving this problem. Inspired by the Artificial Immune System (AIS), an improved double-layer negative selection algorithm (DL-NSA) was proposed which can reduce the number of holes in NSA and increase the detection rate. To obtain the behavior characteristics (e.g., files read or write, cryptography APIs call and network connection) of ransomware, a Cuckoo sandbox was built to simulate the malicious code running environment. After dynamic analysis, the behavior characteristics of ransomware were encoded to antigens. The improved double-layer negative selection algorithm has two sets of immune detectors. The first layer detectors set was generated by the original negative selection algorithm using -contiguous bits matching. The second layer detectors set was directional generated holes’ detectors using -chunk matching with variable matching threshold. Simulation result shows that comparing with NSA this algorithm can achieve high-rate space coverage for non-self, and can increase the detection rate of ransomware.